apiVersion: apps/v1
kind: Deployment
metadata:
  name: web
  annotations:
    shipit.shopify.io/restart: 'true'
spec:
  strategy:
    type: RollingUpdate
    rollingUpdate:
      maxSurge: 25%
      maxUnavailable: 25%
  selector:
    matchLabels:
      name: web
  template:
    metadata:
      annotations:
        ad.datadoghq.com/puma.logs: '[{"source":"rails","service":"rubygems.org","version": <%= current_sha.dump %>}]'
      labels:
        name: web
        tags.datadoghq.com/env: "<%= environment %>"
        tags.datadoghq.com/service: rubygems.org
        tags.datadoghq.com/version: <%= current_sha %>
    spec:
      containers:
      - name: puma
        image: 048268392960.dkr.ecr.us-west-2.amazonaws.com/rubygems/rubygems.org:<%= current_sha %>
        args: ["puma", "--environment", "<%= environment %>", "--config", "/app/config/puma.rb"]
        ports:
        - containerPort: 3000
          name: http-puma
        readinessProbe:
          httpGet:
            path: /internal/ping
            port: 3000
            httpHeaders:
            - name: X-Forwarded-Proto
              value: https
            scheme: HTTP
          initialDelaySeconds: 30
          periodSeconds: 5
        resources:
          <% if environment == 'production' %>
          requests:
            cpu: 4000m
            memory: 5Gi
          limits:
            cpu: 5000m
            memory: 6Gi
          <% else %>
          requests:
            cpu: 200m
            memory: 1.5Gi
          limits:
            cpu: 1000m
            memory: 2Gi
          <% end %>
        env:
          - name: RAILS_ENV
            value: "<%= environment %>"
          - name: ENV
            value: "<%= environment %>"
          - name: RAILS_GROUPS
            value: "avo"
          - name: WEB_CONCURRENCY
            value: "<%= environment == 'production' ? 8 : 2 %>"
          - name: RAILS_MAX_THREADS
            value: "5"
          - name: DD_TAGS
            value: "app:rubygems.org service:rubygems.org env:<%= environment %>"
          - name: DD_AGENT_HOST
            valueFrom:
              fieldRef:
                apiVersion: v1
                fieldPath: status.hostIP
          - name: STATSD_IMPLEMENTATION
            value: "datadog"
          - name: STATSD_HOST
            valueFrom:
              fieldRef:
                apiVersion: v1
                fieldPath: status.hostIP
          - name: STATSD_ADDR
            value: $(STATSD_HOST):8125
          - name: STATSD_GROUPING
            value: "rubygems.org"
          # https://github.com/yob/puma-plugin-statsd/blob/b01769e37e30b801b82dbc0ab899a695731d3629/README.md#my_pod_name
          - name: MY_POD_NAME
            valueFrom:
              fieldRef:
                fieldPath: metadata.name
          - name: SECRET_KEY_BASE
            valueFrom:
              secretKeyRef:
                name: <%= environment %>
                key: secret_key_base
          - name: PREVIOUS_SECRET_KEY_BASE
            valueFrom:
              secretKeyRef:
                name: <%= environment %>
                key: previous_secret_key_base
          - name: RAILS_SERVE_STATIC_FILES
            value: "true"
          - name: AWS_REGION
            value: "us-west-2"
          - name: FASTLY_LOG_PROCESSOR_ENABLED
            value: "true"
          - name: S3_KEY
            valueFrom:
              secretKeyRef:
                name: <%= environment %>
                key: aws_access_key_id
          - name: S3_SECRET
            valueFrom:
              secretKeyRef:
                name: <%= environment %>
                key: aws_secret_access_key
          - name: AWS_ACCESS_KEY_ID
            valueFrom:
              secretKeyRef:
                name: <%= environment %>
                key: aws_access_key_id
          - name: AWS_SECRET_ACCESS_KEY
            valueFrom:
              secretKeyRef:
                name: <%= environment %>
                key: aws_secret_access_key
          - name: HONEYBADGER_API_KEY
            valueFrom:
              secretKeyRef:
                name: <%= environment %>
                key: honeybadger_api_key
          - name: FASTLY_API_KEY
            valueFrom:
              secretKeyRef:
                name: <%= environment %>
                key: fastly_api_key
          - name: FASTLY_SERVICE_ID
            valueFrom:
              secretKeyRef:
                name: <%= environment %>
                key: fastly_service_id
          - name: FASTLY_DOMAINS
            valueFrom:
              secretKeyRef:
                name: <%= environment %>
                key: fastly_domains
          - name: ELASTICSEARCH_URL
            valueFrom:
              secretKeyRef:
                name: <%= environment %>
                key: elasticsearch_url
          - name: SEARCH_NUM_REPLICAS
            value: "<%= environment == 'production' ? 2 : 1 %>"
          - name: MEMCACHED_ENDPOINT
            valueFrom:
              secretKeyRef:
                name: <%= environment %>
                key: memcached_endpoint
          - name: SENDGRID_USERNAME
            valueFrom:
              secretKeyRef:
                name: <%= environment %>
                key: sendgrid_username
          - name: SENDGRID_PASSWORD
            valueFrom:
              secretKeyRef:
                name: <%= environment %>
                key: sendgrid_password
          - name: SENDGRID_WEBHOOK_USERNAME
            valueFrom:
              secretKeyRef:
                name: <%= environment %>
                key: sendgrid_webhook_username
          - name: SENDGRID_WEBHOOK_PASSWORD
            valueFrom:
              secretKeyRef:
                name: <%= environment %>
                key: sendgrid_webhook_password
          - name: GITHUB_KEY
            valueFrom:
              secretKeyRef:
                name: <%= environment %>
                key: github_key
          - name: GITHUB_SECRET
            valueFrom:
              secretKeyRef:
                name: <%= environment %>
                key: github_secret
          - name: AVO_LICENSE_KEY
            valueFrom:
              secretKeyRef:
                name: <%= environment %>
                key: avo_license_key
          - name: DATADOG_CSP_API_KEY
            valueFrom:
              secretKeyRef:
                name: <%= environment %>
                key: datadog_csp_api_key
          - name: HOOK_RELAY_ACCOUNT_ID
            valueFrom:
              secretKeyRef:
                name: <%= environment %>
                key: hook_relay_account_id
          - name: HOOK_RELAY_HOOK_ID
            valueFrom:
              secretKeyRef:
                name: <%= environment %>
                key: hook_relay_hook_id
          - name: RUBYGEMS_PROXY_TOKEN
            valueFrom:
              secretKeyRef:
                name: <%= environment %>
                key: rubygems_proxy_token
          <% if environment == 'staging' %>
          - name: DISABLE_SIGNUP
            value: "true"
          - name: RAILS_LOG_LEVEL
            value: "info"
          <% end %>
          - name: DATABASE_URL
            valueFrom:
              secretKeyRef:
                name: <%= environment %>
                key: database_url
        securityContext:
          privileged: false
        lifecycle:
          preStop:
            exec:
              command: ["sleep", "25"]
        volumeMounts:
        - name: sigstore-signing-token
          mountPath: /var/run/secrets/sigstore
          readOnly: true
      - name: nginx
        image: nginx:1.25.2
        imagePullPolicy: IfNotPresent
        ports:
        - containerPort: 8080
          name: http-nginx
          protocol: TCP
        resources:
          <% if environment == 'production' %>
          requests:
            cpu: 100m
            memory: 20Mi
          limits:
            cpu: 300m
            memory: 200Mi
          <% else %>
          requests:
            cpu: 20m
            memory: 10Mi
          limits:
            cpu: 60m
            memory: 100Mi
          <% end %>
        volumeMounts:
          - name: nginxconfig
            mountPath: /etc/nginx
            readOnly: true
          - name: nginxlog
            mountPath: /var/log/nginx
          - name: nginxcache
            mountPath: /var/lib/nginx/cache
          <% if environment == 'staging' %>
          - name: nginxbasicauth
            mountPath: /etc/nginxbasicauth
            readOnly: true
          <% end %>
        livenessProbe:
          httpGet:
            path: /nginx_health
            port: 80
          initialDelaySeconds: 5
          periodSeconds: 10
        readinessProbe:
          httpGet:
            path: /nginx_health
            port: 80
          initialDelaySeconds: 5
          periodSeconds: 5
        lifecycle:
          # https://blog.gruntwork.io/delaying-shutdown-to-wait-for-pod-deletion-propagation-445f779a8304
          preStop:
            exec:
              command: [
                "sh", "-c",
                # Introduce a delay to the shutdown sequence to wait for the
                # pod eviction event to propagate. Then, gracefully shutdown
                # nginx.
                "sleep 20 && /usr/sbin/nginx -s quit",
              ]
      volumes:
        - name: nginxconfig
          configMap:
            name: nginx-configmap
            items:
              - key: default
                path: nginx.conf
              - key: logging
                path: conf.d/logging.conf
              - key: rubygems
                path: sites-enabled/<%= environment %>.ruybgems.conf
        - name: nginxlog
          emptyDir: {}
        - name: nginxcache
          emptyDir: {}
        <% if environment == 'staging' %>
        - name: nginxbasicauth
          secret:
            secretName: nginx-basic-auth
        <% end %>
        - name: sigstore-signing-token
          projected:
            sources:
            - serviceAccountToken:
                path: sigstore-signing-token
                expirationSeconds: 600
                audience: sigstore
